Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
SpiceGirl Famil Viruses Information

Name: SpiceGirl Famil
Category: Viruses
Description: Details
SpiceGirl Family

These are harmless memory resident parasitic viruses. They hook INT 21h and write themselves to the beginning of COM files (except COMMAND.COM) that are accessed. The viruses are encrypted starting from 1619 bytes version. Starting from 2123 bytes version they are semi-stealth - on opening an infected file they create temporary file, write to there disinfected copy of original file, and return "handle" of disinfected copy instead of original file. On closing these viruses delete the temporary file.
The viruses use new way to avoid detection - the infected files have no entry point (start code). The address of entry point in infected files is out of file body and it is impossible to reach virus code by parsing EXE header. To realize this method the virus uses several PSP (Program's Segment Prefix) and EXE header tricks.
The format of virus code is EXE, i.e. the virus as a program is EXE program with EXE header, relocation table and so on (as a result infected COM files are of EXE internal format). EXE header fields in virus (initial CS and IP) are patches so, that entry address points not to file code, but to PSP data (i.e. out of file). At that address PSP contains RET FAR code that follows the call to INT 21h handler. So, the virus entry address points to RET FAR code, and control then will be passed to code that is pointed by stack. To pass the control to its real entry code the virus has initial stack registers (SS and SP) in its EXE header and stack data that points to real entry:
+------------+ PSP Control flow
0000 ¦CD 20 ¦
all. ¦ ¦ ¦
0050 ¦CD 21 ¦ ¦
0052 ¦CB / RET FAR¦ Entry address, DOS will <-----+
.... ¦ ¦ bring control to here -----+
¦
0100 +------------+ Virus code (file image) ¦
¦ ¦ ¦
¦------------¦ ¦
¦Stack ¦ Stack data points to ---->¦
¦ ¦ real entry ¦
¦------------¦ ¦
¦ ¦ Real virus entry code <-----+
¦ . . . ¦

The virus contain the text strings:
What? 'Error: invalid program'? Me? Fprot, are you crazy? :)
And you, Avp, 'EXE file but COM extension'. What a deep scan. ;)
Spice_Girls virus causes problems to your scan engine eh? :)



Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
BloodyWarrio
Sepultura.24
Brain Famil
Deflo.204
Sauron.108
Dof.98
Cholera Famil
Freedom Famil
Demon3b.431
Afori.65


 

© 2006-2008 spyware32.com - Privacy Policy